2023-05-05A WAF, or web application firewall, helps protect web applications by filtering and monitoring HTTP traffic between the web application and the internet. It typically protects web applications against attacks such as cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection. A WAF is a protocol layer 7 defense (in the OSI model) and is not designed to defend against all types of attacks. This approach to attack mitigation is often part of a suite of tools that together create a holistic defense against a range of attack vectors.
By deploying a WAF in front of a web application, a barrier is placed between the web application and the internet. A proxy server protects the identity of the client machine by using an intermediary, while a WAF is a type of reverse proxy that protects the server from being exposed by having the client go through the WAF before reaching the server.
WAFs operate through a set of rules commonly called policies. These policies are designed to protect against vulnerabilities in applications by filtering out malicious traffic. Part of the value of a WAF comes from the speed and ease of policy modification, allowing for faster responses to different attack vectors; during a DDoS attack, rate limiting can be quickly enforced by modifying WAF policy.
A WAF that operates on a block list (passive security model) is protected against known attacks. Think of a blacklisted WAF as a club bouncer ordered to deny entry to guests who do not meet a dress code. In contrast, an allowlist-based (active security model) WAF only allows in traffic that has been pre-approved. It's like a bouncer at a senior party, he or she only lets in those on the list. Both blocklists and allowlists have their advantages and disadvantages, which is why many WAFs offer a hybrid security model that achieves both.
A WAF can be implemented in three different ways, each with its own advantages and disadvantages:
Web-based wafers are usually hardware-based. Since they are installed locally, latency is minimized, but network-based WAFs are the most expensive option and also require physical equipment for storage and maintenance.
Based on the host chip can be fully integrated into the application software. This solution is less expensive than a web-based WAF and offers more customizability. The disadvantages of host-based WAFs are consumption of local server resources, implementation complexity, and maintenance costs. These components often require engineering time and can be expensive.
Cloud-based WAFs offer an affordable option that's surprisingly easy to implement; they often offer turnkey installations that are as simple as changing DNS to redirect traffic. Cloud-based WAFs also have minimal upfront costs, as users pay monthly or annually for security-as-a-service. Cloud-based WAFs can also provide a solution that is continuously updated to protect against the latest threats without any additional effort or cost on the user end. The downside of a cloud-based WAF is that the user hands over the responsibility to a third party, so some features of the WAF can be a black box to them. (A cloud-based WAF is a type of cloud firewall; learn more about cloud firewalls.)
